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Abstract — Algebraic immunity of Boolean function / is defined 
as the minimal degree of a nonzero g such that fg — or 
if + 1).9 — 0. Given a positive even integer n, it is found that 
the weight distribution of any n-variable symmetric Boolean 
function with maximum algebraic immunity ^ is determined by 
the binary expansion of n. Based on the foregoing, all n-variable 
symmetric Boolean functions with maximum algebraic immunity 
are constructed. The amount is (2wt(n) + 1)2L'°S2"J. 

Index Terms — Algebraic attack, algebraic immunity, symmet- 
ric Boolean function. 



I. Introduction 

ALGEBRAIC attacks have received much attention in 
cryptographic analyzing stream and block cipher systems 
H], IS, ifTSl . which try to recover the secret key by solv- 
ing overdefined systems of multivariate equations. Therefore, 
algebraic immunity (AI), a new cryptographic property for 
designing Boolean functions, was proposed by W. Meier et 
al. jT4]. Algebraic immunity of the Boolean function used 
in a cryptosystem should be high enough to resist algebraic 
attacks. The upper bound of the algebraic immunity of an n- 
variable Boolean function is |6], [l^- Several theoretical 
constructions of Boolean functions with optimal AI have been 
presented in the literature [5], [8], HOl, ifTSll . 

Symmetric Boolean functions are of great interest from a 
cryptographic point of view. An n-variable symmetric Boolean 
function can be identified by an {n + l)-bit vector, so sym- 
metric Boolean functions have smaller hardware size than 
average Boolean functions. They allow the computation of 
values for functions with more variables than general ones. 
For this reason, symmetric Boolean functions have been paid 
particular attention. 

For an odd integer n, Dalai et al. showed that a Boolean 
function with maximum AI should be balanced fS). In ifTSl . it 
was proved that the majority function Maj,j and its comple- 
ment Maj„ + 1 are the only two trivially balanced symmetric 
Boolean functions with maximum AI. It also has been proven 
that the number of symmetric Boolean functions with maxi- 
mum AI is exactly two lfT6l . 

For the case where n is even, the situation becomes 
very complicated. A few classes of even-variable symmetric 
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Boolean functions with maximum AI have been constructed in 
ifTSll . Q. However, only the number and form of 2™-variable 
symmetric Boolean functions with maximum algebraic im- 
munity have been solved by introducing the weight support 
technique llOj . This method has also been used to determine 
the number of (2™ + l)-variable symmetric Boolean functions 
with submaximum algebraic immunity 2™~^ llT2ll . 

In this paper, we first study the weight distribution of 
those n-variable symmetric Boolean functions achieving max- 
imum algebraic immunity with n even. We find that the set 
N = {0, 1, 77,} can be divided into some particular 
subsets according to the binary expansion of n, on which the 
Boolean functions should be constant. Meanwhile, the values 
of the functions on these subsets should satisfy some strict 
conditions. Furthermore, we continue to prove that all the 
symmetric Boolean functions constructed following the above 
laws indeed achieve maximum algebraic immunity. Thus, we 
construct all the even-variable symmetric Boolean functions 
with maximum algebraic immunity. The number of these 
functions and their corresponding hamming weights are also 
obtained. 

The organization of the paper is as follows. In the following 
section, we present some basic notations and knowledge about 
Boolean functions. In section 3, we obtain some necessary 
conditions for an even-variable symmetric Boolean function 
to reach maximum algebraic immunity. In the next two sec- 
tions, we prove that these conditions are sufficient. The main 
theorem of this paper is given in section 6. Section 7 concludes 
the paper. 

II. Preliminaries 
Let F2 be the ?i-dimensional vector space over the finite 



field F2, and Cg, e 



■ , e"_]^ be its normal basis. 



(LO,...,0),er = (0,l,...,0),...,e 



n-l 



(0,0,...,!). 



The superscript n may be omitted if there is no confusion. 

An n-variable Boolean function is a function from F2 into 
F2. Let Bn be the ring of Boolean functions on n variables 
xi,X2, ■ ■ ■ ,Xn, then 

B„ = F2[a::i, . . .,Xn]/{xl + Xi,...,xl + Xn), 

and every / G B„ can be uniquely written in the polynomial 
form / = X]/eF." '^i^^ ^ where x^ = x\^x^2 ' ' '^IT' which is 
called the algebraic normal form (ANF) of /. The algebraic 
degree of /, denoted by deg(/), is the degree of the polyno- 
mial. 
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For / G B„, the algebraic immunity of /, denoted by AI(/) 
is defined to be the lowest degree of nonzero annihilators of 
/ or / + 1, i.e., 

AI(/) = min{deg(g) \ g ^ OJg = ov {f + l)g = 0}. 

Two Boolean functions / and g are called to be affine 
equivalent if there exist A G GL„(F2) and if G F2 such that 
g{x) = .f{xA + if). Clearly, algebraic degree and algebraic 
immunity are both affine invariant. 

Let a = (ai, a2, ■ ■ ■ , a„) G F2 , the Hamming weight of a, 
denoted by wt(a), is the number of I's in {ai, a2, ■ ■ ■ , a„}. 
For an integer i > with 2-adic expansion i = X^jlo*^^-'' 
wt(i) represents the Hamming weight of its binary expansion 
{im, ■ ■ ■ , ii,io)2- 

Let supp(/) = {x G F2 I f{x) = 1}, the cardinaHty of 
supp(/), denoted by wt(/), is called the Hamming weight of 
/. We say that an 77,-variable Boolean function / is balanced 
if wt(/) = 2""^ The weight support [[T0| of /, denoted by 
WS(/), is defined to be 

WS(/) = {i\3 X e supp(/) such that wt(x-) = i}. 

We will use Pb to represent the polynomial 

{Xi + X2){X3 + 2:4) • • • {X2b-1 + X2b)- 

Note that Pb is a (26)-variable polynomial with dcg(Pb) = b 
and WS(Pb) = {b}. 

A Boolean function / is symmetric if its output is invariant 
under any permutation of its input bits, i.e., 

f{xi,X2,...,Xn) = /(a;<j(i),a;^(2), ■ ■ ■ ,a;^(„)) 

for any permutation of {1,2,..., n}. 

Let SB„ be the ring of symmetric Boolean functions on 
n variables xi,X2, ■ ■ ■ ,Xn, then every / G SB„ can be 
represented by a vector 

where the component Vf{i) represents the function value for 
vectors of weight i. The vector w/ is called the simplified 
value vector (SVV) of /. If / G SB„ and f'{xi, ...,Xn) ^ 
f{xi + 1, . . . , Xn + 1), then /' G SB„ is affine equivalent to 
/, and Vf'{i) ~ Vf{n — i), for any < i < n. 

On the other hand, the ANF of / can be written as 

n 

f{xi,X2,-.-,Xn) =^A/(i)cr", 

i=0 

where ct" is the homogeneous symmetric Boolean function on 
n variables which consists of all the terms of degree i. The 
vector 

A/ = (A(0),A(l),...,A(n))GF2"+i 

is called the simplified algebraic normal form (SANF) vector 
of /. Both Vf and A/ can be regarded as mappings from 
{0,1,..., n} to F2. 

Let a and b be two nonnegative integers with 2-adic expan- 
sions 

m m 

a = 5^a,2^ b^J2^,2^- 

j=o j=o 



We say a ^ b if aj < bj for any < j < m and a ^ 6 if 
a < b and a ^ b. Using the Lucas formula which states that 
(b) = 1 e F2 if and only if & ^ a, we can derive the following 
two lemmas: 

Lemma 2.1: ID Let / be an n-variable symmetric Boolean 
function. Then 

Lemma 2.2: ID For ^ > 1, suppose / G SB„ and deg(/) < 
2^, then vj has period 2^, which means Vf{i) = Vf{i + 2^) 
for < i < n - 2^. 

Lemma 2.2 can be derived easily from Lemma 2.1. 

Lemma 2.3: l9\ Let n = 2k and G,i be an n-variable 
symmetric Boolean function. If its simplified value vector 
satisfies 

jo, for i < k, 

^G„i^) = \ . f ■ ^ u 
I 1, tor I > k, 

then AI(G„) = k. Function G„ is called the majority function. 

Lemma 2.4: fTOl Suppose that n > 2 and / G SB,i. If 
there exists g <E B„, such that fg = 0, then there exists b, 
< 6 < Lf J and ^ h{x2b+u ■ ■ • e SB„_26, deg(/i) < 
deg(,9) - b, such that fhPb = 0. 

Lemma 2.5: Suppose n ^ 2k and / G SB„. If AI(/) = k, 
then wt(u/) £ {k,k + 1}. 

Proof: It is sufficient to prove that when wt(w/) < fc or 
wt(/) > k + 1, /or/ + l has a nonzero symmetric annihilator 
with degree less than k. Without loss of generality, we consider 
that wt{vf) < k. Otherwise, we can replace / by / + 1. 

Let g = J2^Zo ^gi'^)'^i ^ symmetric annihilator of /. 
Hence, fg = Oif and only if for all Vf{i) = 1, Vg{i) = 
holds. Thus, by Lemma 2.1, •wt{vf) equations on k variables 
Ag(0), . . . , Ag(fc — 1) are obtained, where the number of 
equations is less than the number of unknowns. Therefore, at 
least one nonzero solution exists, which impUes the existence 
of such an annihilator. ■ 

III. Necessary Conditions for Even- variable 
Symmetric Boolean Functions with Maximum AI 

We always assume n = 2k. In this section, we will 
present the constraints on the simplified value vector for 
an n-variable symmetric Boolean function / with maximum 
algebraic immunity k step by step. First, we present Lemma 
3.1 and Theorem 3.1, where Lemma 3.1 is a special case 
of Theorem 3.1. According to Lemma 3.1 and Theorem 3.1, 
several notations and definitions are given. Based on them, 
we present Corollary 3.1, Theorem 3.2, Theorem 3.3, and 
Theorem 3.4, which are the main results of this section. 
Theorem 3.5 concludes this section by showing two classes 
of symmetric Boolean functions satisfying all the necessary 
conditions. The following lemma is very important. 
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Lemma 3.1: Let n = 2^+^/1 with p, fJ, > 1, and / G SB„. 
If AI(/) = k, then 

Vf{2Pfi - 2Pi + 2P-^) = w/(2P/i + 2Pj - 2^-1) + 1 (1) 

for any 1 < i, j < fJ.- 

Proof: We will prove this theorem by induction on 
parameter fi. 

Basis: When /i = 1, it is true due to Theorem 2.2 of [TT] . 

Induction: Assuming the theorem is true for n = £ > 1, 
we claim that it is also true for ^ = £ + 1. Now, let n = 
2k = 2P+^{£+l) and / e SB„ with AI(/) = fc = 2p(^ + 1). 
We will prove that the Boolean function / satisfies Vf{2P{£ + 
1) - 2Pi + 2P-1) = Vf{2P{£ + 1) + 2Pj - 2P-1) + 1 for any 
1 ^ hj < £ + I in the following four steps. 

In step 1, we prove ([T]i for 1 < i,j < £; in step 2, for 
I < j < £ eind i ^ £ + 1; in step 3, for 1 < z < ^ and 
j — £ + 1; and in step 4, for i = £ + 1 and j ~ £ + 1. 

Step 1 Assume to the contrary that Vf{2P{£ + 1) - 2Pi + 
2P-1) Vf{2P{£ + 1) + 2Pj - 2P-1) for some 1 < ij < 
£, letting /' e SB2p+1£ on variables X2p+i+i, X2p+i+2^ ■ • 
a;2P+i(£+i), be defined as 

Vf,^{vf{2P),Vf{2P + l),...,Vf{2P+H + 2P)). 

Then we have Vf,{2P£-2Pi + 2P-^) = Vf.{2P£ + 2Pj -2p-^). 
By induction hypothesis, there exists h E B2P+H on 
variables a;2P+i+i, a;2P+i+2' ■ • ^2^+^(1+1) with deg(/i) < 
2P^, such that hf = or + 1) = 0. 

For the case hf = 0, let g = hP2P. Then, we claim that 
fg = 0. To prove the foregoing, we study the weight supports 
of g and /. First, by WS(P2p) = {2^} and the fact that P2P 
and h deal with different variables, we know that WS{g) = 
{i + 2P\i e WS(/i)} and WS(g) n {i\0 < i < 2^, n - 2^ < 
i < n} = 9. Second, we know that WS(/) = {i + 2P\i e 
WS(/')} U {i\0 < i < 2P,n ~ 2P < i < n,Vf{i) = 1} by 
the definition of /'. Third, we have WS(/') n WS{h) = 
because f'h 0. Thus, we have WS(/) n WS(,g) = {i + 
2P\i £ WS(/')} n{i + 2P\i G WS(/i)} = 0, which means 
fg = 0. For the case h{f' + l) = 0, we can prove similarly that 
{f+l)g = 0. This contradicts AI{f) = k because deg{g) < k. 
Therefore, 

Vf{2P{£+l)-2Pi+2P-^) ^ Vf{2P{£+l)+2Pj-2P-^)+l (2) 
for any I < i, j < £■ 

Step 2 Assume to the contrary that (7/(2^^^) = Vf(2P{£ + 
1) + 2Pj — 2P~^) for 1 < j < ^. To deduce a contradiction, 
we construct an annihilator g of / or / + 1 as follows. 

Define g G SB2P+i(f+i) by 

A m^l^' if 7/' > or 2P-1 2< V, 
^ [1, if iP <k and 2P"i ^ ?/'• 

We claim that g is an annihilator of / or / + 1 . To prove the 
claim, we study the weight support of g. Let lu G WS{g), then 
Vg{<jj) = 1. By Lemma 2.1, we have 

i/; < A; 



Let 

S-^ = {^Ij\2P-^ ^iIj <uj,i} <k^ 2P{1 + 1)}, 

then Vg{Ld) ~ \Si^\ mod 2, which means Ug(cL>) = 1 if and 
only if \Si^\ is odd. Let lu = (w„,a;,„_i • • •a;o)2 be the binary 
expansion of cj. 

i) If a; < k, we claim that \Slj\ is odd if and only if ut = 
2P-^. For 2P^i ^ w, there is no ^ satisfying 2^-1 ^ V ^ 
oj, which means Su = 0. For 2^"^ ^ oj, the number of V' 
such that 2P-^ < ^ < lo is 2"t(")-wt(2''-i) ^ 2*'(")-i, 
which is odd only when lo = 2P~^. 

ii) If w > fc, we claim that \Suj \ is odd only if LOp-i = 1 and 

= for all < t < 1. Otherwise, if = 0, then 
2^^"^ ;^ and there is no -0, such that 2p~^ di ^ ^, 
which implies that 5*^^ = 0. If tutg = 1 for some < < 
p ~ I, and ip = (V'mV'm-i ■ • ■ "00)2 is an element of S^^, 
then it is clear that tp' = {tpm ■ ■ ■ V'to+iV'toV'to-i " ' • ^^0)2 
also satisfies 2P'^ ^ 0' ^ o; and -0' < = 2p{£ + 1), 
where 0tj, = 0t„ + 1. Thus, -0' is also an element of 
Suj, which means the elements in Suj come into pairs. 
Thus, \Suj\ is even, which is a contradiction. Therefore, 
if Vg{uj) = 1, then ujp-i = 1 and ojt ~ for all < < < 
p-1. 

Combining the results of i) and ii), we have 

WS(5) C {2P~\2P{£ + 1) + 2Pj - 2P-\ l<j<£+ 1}. 

Note that w/(2P-i) = Vf{2P{£+ 1) + 2Pj - 2p-^),1 < j < £, 
if we can prove that 2p(^ + 1) + 2p(£+ 1) - 2p-i = ?i - 2p-^ 
is not in WS(.g), then we have fg = or (1 + f)g = since 
/ is constant on the support of g. Since dcg(5) < k, we have 
AI{f) < k. It is a contradiction, and will end the proof of 
this part. Therefore, we will prove Vg{n — 2p~^) = 0. Note 
that once it is proved, we finish the proof of this part. 

Letu = n-2P-^ = 2P+^£ + 2P + 2P-\ 7/; be an element of 
Suj- According to the definition of S^j, we can see that there 
exists some integer < s < £, such that -0 — 2Ps + 2p~^. Let 
Ti = {s\s ^ 2£ + 1,0 < s < £}. Hence we have \Suj\ = \Te\ 
by the definition of 5*^^. What we need is to prove that jT^j is 
even for all f > 1. It is not a difficult task, and the reader can 
give a proof by himself/herself, or follow the proof below. 

If ^ = 2'' — 1 for some positive integer r, then 2£ + 1 — 
2r+i _ I jjjjjg^ s d 2£+l for every < s < £, which 
means \Te\ = £ + I = 2^. It is in contradiction with that 
|5'„| = \Ti\ is odd. Otherwise, let £ = (4n^m-i • • ■ 4)2 be 
the binary expansion of £, then there exists some integer 1 < 
t < m such that = £m-i = ■ • ■ = 4n-(t-i) = 1 and 
£,n-t = 0, namely £ = (ll_^0£,„_f_i • • • £0)2- Then 2£ + 

t 

1 = (l]_^^04,i-t-i • • •41)2- Let s = (s„,s„_i • • -50)2, 
t 

then s ^ 2^ + 1 implies s^^^t+i = 0, which means s < ^ by 
the structure of £. Thus, by the definition of Ti, s G if and 
only if s d2£+ 1. Since s < 2'"+i and {2£ + 1)^+1 = 1, 
where {2£ + l)m+i denotes the (to + 1)* bit in its binary 
expansion, we have \T(\ = 2*'(2^+i)-i^ Since ^ > 1, we have 
wt(2^+ 1) - 1 > which means \Suj\ = \Ti\ also even. Thus, 
we finish the proof of this step, i.e., 

Vf{2P-') = Vf{2P{£ + 1) + 2Pj - 2P-1) + 1 (3) 
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for 1 < .7 < £. 

Step 3 Assume to the contrary that w/(2p(£ + 1) - 2^1 + 
2P'i) = Vf{2P+^{e + 1) - 2P-1), for 1 < i < £ Similar 
with step 2, by using g' instead of g, where g'{xi, . . . , .t„) = 
g{xi + 1, . . . , a;„ + 1), we can get fg' or (/ + l)g' = 0, 
which contradicts AI(/) = k. Thus, 

Vfi2P{e+l)-2Pi + 2P-^) =w/(2P+i(£ + l)-2P-i) + l (4) 

for any 1 < i < £. 

Step 4 Combining the above three steps, we have 

Vf{2P-') 

= Vf{2P{e+l) + 2Pj ~2P~^) + 1 by a 
= Vf{2P{e+l) -2Pi + 2P-^) by© 
= w/(2P+i(£+ 1) - 2P-1) + 1 by® 

for any 1 < i,j < L Thus, u/(2p(£ + 1) - 2Pi + 2^-1) 
Vf{2P{l + 1) + 2*'j - 2P-1) + 1 for i = j = £ + 1. 

Combining the above four steps, Vf{2P{i + 1) — 2^1 + 
2P-1) w/(2P(^ + 1) + 2Pj - 2P-1) + 1 holds for any 
1 < < £ + 1. Therefore, the theorem is also true for 
fi = £ + 1. This completes the proof. ■ 

In Lemma 3.1, n should be a multiple of 4. The following 
theorem generalizes Lemma [TTI to a wider situation, where n 
can be any even number 

Theorem 3.1: Let n = 2^'+^/i + 2m with p, fJ, > I and 

< m < 2P, / e SB„. If AI(/) = k, then 

t;/(2''Ai + m - 2Pi + 2P-^) = u/(2V + ™ + 2Pj - 2^-^) + 1 

for any I < i, j < 

Proof: Assume to the contrary that v f (2^/1 + m — 2Pi + 
2P-1) = vj:{2Pfi + m + 2Pj-2P-^) for some 1 < i,j < fj.. Let 
/' e SBsp+i^ on variables X2m+i, X2m+2, ■ ■ ■, a;2P+v+2m> be 
defined as 

Vf> = {vf{m), Vf{m + 1), . . . ,Vf{2P~^^^ + m)). 

Then we have D//(2P/^-2Pi + 2P-i) = Vf,{2P^i + 2Pj-2P-^). 
By Lemma AI(/') < 2p^, thus there exists Q ^ h e 
B^p+i^, with dcg(/7,) < 2P/X such that f'h = or {f'+l)h = 0. 
Let g — hPjn- Following the argument of step 1 in Lemma ITT] 
we claim that fg = or (/ + l)g = with deg(5) < 2Pfi + 
m = k, which contradicts AI(/) = k. Therefore, Vf{2P^ + 
m-2Pi + 2P-^) = Vf{2P^i + m + 2Pj - 2^-1) + 1 for any 

1 < «,j < ■ 

For example, when n = 2k = 14, we have 

. if p = 1, /i = 3, m = 1, then {2Pfi+m-2Pi+2P-^, 2Pfj.+ 

m + 2Pj - 2P-i|l < i,j <n} = {2,4,6,8,10,12}, 
. if p = 2, = 1, m = 3, then {2Pfi+m-2Pi+2P-'^, 2?^+ 
m + 2Pj - 2P-^\1 < ij < n} = {5,9}. 
Theorem 3.1 sets constraints on Vf{uj) for uj G {2, 4, 5, 6, 8, 9, 
10, 12}. 

For convenience of description, we introduce a partial order 
on nonnegative integers denoted as 



Definition 3.1: Given two binary expansions of nonnegative 
integers a = (a^, a^-i, . . . , 00)2, b = {bi, bi-i, 60)2, 1 < 
£ < s, we define 

b^' a^b = or b,^ a, for all < i < £; 
b a^b ^' a and b ^ a. 

For example, we have 3 ^' 7 because 7 = (111)2 and 3 = 
(11)2. 

For any nonnegative integer k, let ~ {i,2k~i\i -<' k}. 
By the definition of -<', |B''| = 2wt(fc). 

Definition 3.2: For any positive integer n — 2k, we divide 
the set {0,1,..., n} into a series of subsets A,f, where 

Af = {k - {2] + l)2'-\k+ {2j + l)2*-i I < j < 

2 J' 

for 1 < i < [log2 n\ . The superscript k may be omitted if 
there is no confusion. 

The union of sets {{2j + 1)2'~^ \ j G N} over all i e is 
a partition of N^, so these subsets have no intersection with 
each other, and {0, 1, . . . , n} = Ul=o' A*- 

For example, when n = 2k = 14, we have Aq = {7}, A[ = 
{0, 2, 4, 6, 8, 10, 12, 14}, A^ = {1, 5, 9, 13}, A,^ = {3, 11}. 

The main intuition of sets and -<' could be explained 
by the binary expansion of k, where k = (fcm,...,fco)2 
with km 7^ 0. For any a -<' k, it is easy to verify that 
a = (kj, fcj-i, ko)2, where kj = 1 and kj = kj + 1 = 0. 
And for every uj G A^, the binary expansion of ut is 
(*, fci_i, fci_2, ^0)2, where * is an arbitrary binary string, 
which means the right-most i bits of the binary expansion of 
Lj are exactly fci_i, fci_2, fco. 

The following Lemma contains some properties of A^, as 
well as the partial order -<'. 

Lemma 3.2: Supposing k = {k,n, • ■ • , fci, ^0)2- by the def- 
inition of A*^, a simple calculation gives the following; 

1) if j EA'y, then 2k ^ j e A^; 

2) for any < j < 2k, j = (j^ , . . . , ji, jo)2, j e h'i if and 
only if ji_2, ji, jo)={ki-i, fci_2, • • • , fci, fco), in 
particular, A^j = {fc}, A^i^^^ ^^^^={k^2^^°S2 fcJ ^ fc+2Li°g2 k\ }. 

3) A*^ contains an element (fci-i, fci-2, • ■ • , fci, fc"o)2 -<' k 
in B'' if and only if ki-i = 1. 

We explain the reason why we define the sets A,f and B'^. 
Given n = 2k = 2^+ V + 2m (p, fi > 1, < m < 2P), it is 
easy to verify that 

Ap 3 {2P ^+m-2Pi+2P-^ ,2P ^l+m+2Pj-2P-^\l < i,j < ^}, 

which means the uj of w/(a;) from the same equation defined 
by Theorem 3.1 are all included in the same A^. But A^ may 
contain two extra elements, which are 

A'^-{2P^i+m-2Pi+2P-\2Pn+m+2Pj-2P-^\l < i,j < ^i} 

_ j{m-2P-\n-m + 2P-^}, m - 2^-^ > 0, 
"[0, m-2P-^<0. 
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For the case m — 2^ ^ > 0, since m < 2^, we have rn = 
2P-1 + s (0 < s < 2P'i), which means m - 2^-1 -<' m ^' k. 
Besides, by the definition of partial order -<', if m + 2^/^ = A: 
(m < 2P, fi > 1), then 2Pfi + m - 2Pi + 2p~^ k for 
1 < i < /i. Thus, Theorem 3.1 shows constraints on Vf(uj) if 
and only if uj 2<' k, namely cj G {0, 1, n} - b'' - {k}. 

Equipped with these notations and basic properties, we can 
restate Theorem 13.11 concisely. 

Corollary 3.1: Let n ^ 2k and / e SB„. If AI(/) = k, 
then for any 1 < p < [log2 k\ and i, j e — B'"' - {k} with 
i < j < k, we have Vf{i)=Vf{j)=Vf{n'-j) + l=Vf{n — i) + l. 

Corollary 13.11 shows the constraints related to the values 
of Vf on {0, 1, . . . , - B*^ - {k}. In what follows, we will 
discuss Vf on B'' U {k}. 

Theorem 3.2: Let / G SB„. For any t k, t ^ k — 
2Liog2feJ, assume t G Ap. If 

+ l = Vf{t + 2P) = --- = Vf{k-2P-^) 

= Vf{k + 2P-^) + 1 = • ■ • = Vf{n -t-2P) + l 

= '"f{ri-t), (5) 

then AI(/) < k. 

Proof: Notice that Ap = {t,t+2P, . . . , k-2P-^, fc+2P-\ 
. . . , n~t~ 2P~^ , n — t}. If fc = 2* for some q, then only one 
i (i = 0) satisfies i -<' k and fc - 2L'°S2 '^J . it contradicts 
the conditions in this theorem. Therefore, we have fc ^ 2"? 
for any integer q. We only need to consider wt(vy) = fc or 
k+1. Otherwise, we have AI{f) < fc by Lemma [23] Without 
loss of generality, we assume wt(i'/) = fc. Otherwise when 
wt(w/) = fc + 1, we can replace / by / + 1 instead. 

We will prove that there exists a nonzero symmetric Boolean 
function g with degree less than fc, such that fg = which 
implies AI{f) < 0. Let g = J2iZo Notice that fg = 

if and only if for every = 1 we have 

0<j<fc-l 

by Lemma 2.1. Then, we can get a system of homoge- 
neous linear equations on variables Ac,(0), . . . , Ag(fc — 1) 
with wt{vf) = fc equations. The number of equations and 
unknowns of the equation system are both fc. In what follows, 
we will show that there are two same equations. Thus there 
must exist a nonzero solution of Ag(0), . . . , Ag(fc — 1), which 
implies the existence of g. 

Since k ^2'^ for any integer q, we assume 2^^^ < fc < 2^. 
Thus, we have t < 2^~^ and [log2 fcj = i — I. Since t ^ 
k - 2Li°g2 fcJ^ we have 2t^n-2'^=^n-t^t + 2'^^ 
n — t — 2^ ^ t. According to the definition of Ap, we have 
t + 2^ri-t-2^ G Ap. 

For the case Vf{t) = 1, since t + 2^ e Ap, t + 2^ > k 
and n - < 7^ i + 2^ we have Vf(t + 2'^) = Vf{t) = Ihy 
Consider the equations 

i:<t 

0<i<k 



and 

v,{t + 2')= ^9W=0. 

0<i<k 

It is easy to see that i ^ t is equivalent to i ^ t + 2^ for 

< I < fc; thus, the two equations above are exactly the 
same. 

For the case Vf{t) = 0, we could prove Vf{n — t) = Vf{n — 
t — 2^) = 1 similar to the case Vf{t) ~ 1. It is similar to 
verify that equations Vg{Ti — t) ^ and Vg{7i — t — 2^) ^ 
are exactly the same. 

Therefore, the nonzero symmetric annihilator with degree 
less than fc always exists, and AI(/) < fc. ■ 

For a given fc, the values t and n — t such that t k and 
t =/= k — 2L'°S2 '^J can occur in Theorem 3.2, but are excluded 
in Corollary 3.1. Theorem 3.2 focuses on the relationship 
between Vffuj) where u G {t,n ~ t}, and Vf{uj) where 
ui G Ap — {t, n~t}. In the following theorem, we will consider 
?;/(fc-2Li°S2fcJ) and fc + 2Li°g2 fcJ ), which are excluded 

in Theorem 3.2. 

Theorem 3.3: Let n 2fc and / G SB„. If AI{f) = fc, 
then there does not exist more than one integer i, such that 

1 k and Vf{i) = Vf{n — i). 

Proof: When fc = 2'' and q is an integer, there is only one 
i{i ~ 0) satisfying i ^' fc. The conclusion is trivial. Therefore, 
we only need to consider the case fc 7^ 2* for any integer q. 
By Lemma |231 we only need to consider wt(uy ) = fc or fc + 1. 
Without loss of generaUty, we assume wt(u/) = fc. Otherwise, 
when wt(w/) = fc + 1, we can replace / by / + 1 instead. 

Assume to the contrary that there exist more than one i 
such that i ^' k and Vf{i) = Vf{n — i). We will show the 
existence of a nonzero symmetric Boolean function g with 
degree less than fc such that fg = 0, which is contradicted 
with AI{f) = fc. 

Let g = J2'i=o ^g{^)^i- Notice that fg = if and only if 
for every Vf{i) = 1 we have 

= E ^s(j) = 

0<j<k-l 

by Lemma 2.1. Then, we can get a system of homoge- 
neous linear equations on variables Ag(0), . . . , Ag(fc — 1) with 
wt{vf) = fc equations. Notice the number of equations and 
unknowns are both fc. In what follows, we will show that 
there are two same equations; thus, there must exist a nonzero 
solution of Ag(0), . . . , Xg{k — 1), which implies the existence 
of g. 

We claim that there exists at least one ii such that ii ^' k 
and Vf{ii) = Vf{n — ii) = l under our assumption that more 
than one i k exist s.t. Vf{i) = Vf{n — i). Else, suppose 
V fif) = V f{n — i) = Q for all i k and Vf{i)=Vf{n — i). 
It is easy to verify that wt(/) < fc, because Vf{i) = Vf{n — 
i) + 1 for other i ^' k and Vf{ip) = Vf{n — ip) + I for 
an 'ip G {0, 1, n} - - {fc} due to Corollary 3.1. This 
is contradicted with wt(/) = fc. Thus the existence of ii is 
guaranteed. Since k ^ 2^ for any q, we assume 2^"^ < fc < 
2^. 
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Case 1: If ii 7^ fc - 2Li°S2fcJ, assume ii e Since 
k, according to Corollary 3.1, we have 



AI{f) 



or 



Vfiii) 



Vf{n - ii) = 1, 



Vf{k- 



2P' 



Vf{r 



= Vf{k 

Vf{n — 



2^^) + ! 
(6) 



^l 



2P-1) _ 



(7) 



By the definition of A^, we have ii 



2^ n-ii-2^ e At 



Since ii + 2 > k and n — ii — 2 < fc, we have Vf{n~ii) ~ 
Vf{n - ii - 2^) = 1 for © and + 2'') 1 

for (|7]i. Then, similar with the proof in Theorem 3.2, we can 
prove that they are two same equations in both cases, i.e., 
Vg{n — ii) =0 is equivalent to Vg{n — ii — 2^) =0 and 
Vg{ii) = equivalent to Vg{ii +2^) = 0. 

Case 2: For h = k - 2^^°e2 ^J, we have h ^ k - 2^-^ => 
2ii = 71 — 2^ =^ n — ii = 2^ + i\. Thus, we have Vf(i\) = 



Vf{n - i\) = Vf{ii + 2^) 
equations, 

Vg{n-h) = 



= 1. Consider the following two 



Xgil) = 0, 



E 



0<i<fc 



and 



0<i<k 



For < i < fc, we have i ^ 2*" + ii if and only if i ^ ii. 
Thus, the above two equations are equivalent. 

Therefore, the nonzero symmetric annihilator with degree 
less than k always exists, which is contradictory to AI{f) = fc. 
Thus, there cannot exist more than one integer i, such that 
i ^' k and Vf{i) = Vf{n — i). 

■ 

For the case one t exists such that t ^' k and Vf{t) = 
Vf{n — t), there exists another constraint, namely Theorem 3.4. 
This theorem is the last necessary condition for even-variable 
symmetric Boolean functions to reach maximum algebraic im- 
munity, which considers all the triples {vf{t),Vf{k), Vf{n—t)) 
when t ^' fc. 

Theorem 3.4: Let n = 2fc, / £ SB„. If AI(/) = fc, then for 
any t ^' fc, {vf{t),Vf{k), Vf{n - t)) ^ {(0, 0, 0), (1, 1, 1)}. 

Proof: According to Corollary 3.1, for any i and any p 
such that i € Ap — B^ — {k}, we have Vf{i) — v f{n—i) + l. By 
Theorem 3.3, for all elements of B*^, at most one t could exist 
such that t k and Vf{t)=Vf{n — t). Therefore, wt(w/) = 
fc - 1 if {vf{t),Vf{k),Vf{n - t)) = (0,0,0) for some t ^' fc 
and wt(u/) = fc + 2 if {vf{t),Vf{k),Vf {n - t)) = (1,1,1) 



for some t fc. By Lemma 
impossible. 



we know either case is 



In the end of this section, we take out all even-variable 
symmetric Boolean functions satisfying all the necessary 
conditions to achieve maximum algebraic immunity into the 
following two classes. 

Definition 3.3: Define two classes of symmetric Boolean 
functions on n variable, n = 2k, as follows. 

Class 1: For any Ap, I < p < [logj n\, and i,j £ Ap, 



Vf{i) 



Vf{j) + 1, if i < fc < j or j < fc < I, 
Vf{j), otherwise. 



Class 2: There is a function g contained in Class 1 and 
an integer t ^' k such that 

'"f = ""g + '^t + Sek, or 

where 

S = Vg{t) + Vg{k), 

and 

6' = Vg{n - t) + Vg{k). 

If there is no t such that t k and Vf{t) = Vf{n — t), then 
/ is contained in Class 1. If such t exists, / is contained in 
Class 2. Class 2 is defined based on Class 1. 

Theorem 3.5: Suppose / e SB„, n = 2fc. If AI(/) = fc, 
then / is in Class 1 or 2. 

Proof: If for any t fc, Vf{t) 7^ Vf{n~t), we will prove 
/ is in Class 1 . By Theorem 13.11 and Theorem 13.21 we know 
that Vf{i) = Vf{j) + 1 for all i,j G A^ and i < k < j, which 
satisfies the definition of Class 1 functions. 

If there is some t -<' fc, Vf{t) = Vf{n — t). By Theorem 
13.31 we know at most one such t can exist. 

When Vf{t) = Vf{n — t) = 0, by Theorem 13.41 we know 



Vf{k) = 1. Let Vg^ = Vf + Et and Vg 



x-t. By 



Theorem 13. II and Theorem 13. 21 gi, (72 are in Class 1 and Vf 



ct + Sck and vj 



Vg + Cn-t + 



Definition 13.31 When Vf(t) = Vfij 
same. 



S'ck, where S, S' are in 
t) — 1, the proof is the 



Classes 1 and 2 consist of all functions satisfying the 
necessary conditions to reach maximum algebraic immunity. 
In the following sequel, we will prove that they do reach 
maximum AI, i.e., the necessary conditions are sufficient. 

IV. Functions in Class 1 Have Maximum Algebraic 
Immunity 

Given a positive integer fc = (fc^, . . . , fci, fco)2 and any 
nonnegative integer i, we denote the vector 

by or simply Si if there is no confusion, where 



1, if i ^ h 
0, otherwise. 
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Equivalently, 

0<j<fe-l 

Furthermore, the inverse representation is easy to obtain, 
namely, 

0<j<fe-l 

Therefore, {eq, Ei, £a;-i} is a basis of ¥\. Moreover, 
{efc+i, £a:+2, • ■ • , £2k} IS also a basis of Fj, as the following 
lemma states. 

Lemma 4.1: {eo, ei, . . . , efe-i} and {efc+i, efc+2, • . • , e2fe} 
are two bases of Y\. 

Proof: By (HJ, we claim {eq, ei, Cfc-i} is a basis 
of F^-. For {efc+i , £fc+2, £2fc}, let's consider a system of 
homogeneous equation on variables .to,xi, ...,a;fc_i: 

/ £fc+i \ 
£fc+2 „ 

= 0, 

V £2fe / 

where X = (ccg, xi, G F2. We assume that this 
equation system has a nonzero solution A=(Ao, Ai, 
Afc_i) G F^. Let g{x) = X^^'Jn ^^(^^ ^ SB„, then Ag = 
(Ao,Ai,...,Afe_i,0,0, ...,0) G F2 +\ According to the as- 
sumption, for k + 1 < i < 2k, 

0<j<k 

which means Vg{i) = holds for k + 1 < i < 2k. Let / G SB„ 
be the function in Lemma 2.3. Thus, fg ~ and dcg(g) < k. 

However, by Lemma 2.3, AI(/) = k. Therefore, we have 
5 = 0, so the above system can have only one solution X ^ 0. 
Thus, {sk+i, £fc+2, ■ • • , £2fe} is a basis of F2. ■ 

For any < i < [log2 fcj , let 

U, = {£j h-GAti,0<j<fc-l}, 
V, = {£, \ j eA'i^„k + l<j <2k}, 

and 

W, G {U„V,}. 

Lemma 4.2: Uq or Vq, union Ui or Vi, . . ., union U^iog, fej 

or V^iog^ k\ , denoted by ljl=o^ '^^ is a basis of F2. 

Proof: First, we prove that all vectors in Vp can be 
written as linear combinations of vectors in {J^^Q^i, i.e., 
Vp C span(lJ^^Q Ui). Take an arbitrary vector in Vp, denoted 
by £t, for some t G Ap+i and k + 1 < t < 2k. Then, t = {*, 
kp, . . . , ki, fco)2 by Lemma 3.2, where * is a binary string of 
arbitrary length. We can expand et as follows: 

= E E E^J- 

0<i<k-l 0<i<k-l 

= E E 1- 

0<j<k-l 0<i<fe-l 



Therefore, £t can be written as a linear combination of 
vectors in lj[=o^ ''^ U^. For any £j ^ IJLo ^i, i.e., j = 
(*, kp, . . . , fci, ^0)2 and j < fc — 1, we calculate the coefficient 
of Ej, which is 

E 1= E _ 1- (9) 

„i^3^* , (*,kp,...,ki,ko)2^i^{*,kp.,...,ki,ko)2 
0<i<k-l 0<4<fc-l 

When kp = 1, there is no i that satisfies the con- 
straints; thus, equation ^ is 0. When kp = 0, if there 
is an i = (*, 0, ip_i, . . . , 12, ii, ^0)2 that satisfies constraints 
(*, kp, . . . , fci, ^0)2 i {*,kp, . . . , fci, fco)2 and i < fc - 1, 
it's not hard to see i + 2^ ^ {*, 1, ip-i, . . . ,12, ii, 10)2 also 
satisfies the above constraints and vice versa. Therefore, all 
Is counted in equation Q are in pairs; thus, equation (|9]l is 

0. Since all £_, ^ UiLo ^^^^ ^'^^ exist in the expansion of 
£t G Vp, we conclude that Vp C span(|J^^g Ui). 

Second, we use math induction to prove that the vector 
space spanned by [Jf^pUi is that spanned by (Jf^pWi, for 
p = 0, 1, . . ., [log2 fcJ. The induction parameter is p. 

Basis: We claim that span(Uo) = span(Vo). 

By Lemma 4.1, there is no linear dependence in Uq and 
Vq, so dimspan(Uo) = |Uo| — |Vo| = dimspan(Vo). Having 
considered that Vq C span(Uo) and both Uq and Vq are finite, 
we claim span(Uo) = span(Vo). 

Induction: Assume it is true for p = 0,l,...,q — 1. Claim 
it is also true for p ~ q. 

Since V^ C span(lJ^^Q Ui), we have 
q q 
span(|J U,) = span(|J U, U V,) 

j=0 j=0 

9-1 

= span(|J U^UU^UV,) 

i=0 
9-1 

= span(|J V.UUgUV,) 

1=0 

q 

3 span(|JvO 

4=0 

Notice that ULoUj ^ {£0, £fc-i} and ULo^* C 
{£fc+i, £„_i} due to the definition of Ui and Vi. By 
Lemma 4.1, there is no linear dependence in lJ?=o and 
ULo^i ' which means dimspan(lJ^^Q Ui) = I]Lo l^d 
= X]i=o 1^*1 ~ "^i™ ^P^*^ (Ui=o^»)- Thus, we have 
span(ULoUO = span(ULoVO = span(UU U U,) 
= span(lJ^^Q Wi U V„), which completes the induction. 

Therefore, span(uIiT W,) = span(UliT ^^0- By 
Lemma [431 we know Ui=o^ Ui is a basis of Fj. Therefore, 
Uli°o' is also a basis of F^. ■ 

In Theorem 4.1, we consider the symmetric annihilators 
of Boolean functions in Class 1. We show that all Boolean 
functions in Class 1 have no symmetric annihilator with 
degree less than k. In Theorem 4.2, we show that all Boolean 
functions in Class 1 have maximum AI. 

Theorem 4.1: Let n = 2k and / G SB„. If Vf{i) ^ Vf{j) + 

1, for any i,j G A^ with 0<i<k<j<2k and any 
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1 < i < Llog2 "^J ' '^hen there does not exist any nonzero n- 
variable symmetric Boolean function g with degree less than 
k, such that fg or (/ + 1)5 = 0. 

Proof: Let g{x) = I]o<i<fc ^i'^i ^ ^"'^ A=(Ao, Ai, 



when Vf{i) = 1. According to the condition of this theorem 
that Vf{i) ~ Vf{j) + 1, for any i,j G Af with < i < fc < 
j < 2k and any 1 < t < [logjrij, we can obtain a system 
of homogeneous linear equations on variables Aq, . . . , Afc_i of 
the form 

\ 



ao 
ai 



A' 



0, 



where ao, ai, 



ctk-i 



}=U 



[log2 fej 



afc-1, P 



{ao, 



tti, 



W, and 



/3 = 



0,if Vf{k) = 0, 
Sk, otherwise. 



However, by Lemma 4.2, matrices of this kind have full rank. 
So we have A = 0; thus, 5 = 0. 

Denote the system of homogeneous linear equations ob- 
tained by the condition fg = by 



0, 



(10) 



i.e., let M/ be the coefficient matrix of the system. Formally, 

ned as fol 

( \ 



coefficient matrix Mf is defined as follows: 



Mf 



(11) 



where Ej is a row vector of Mf if and only if = 1. The 
row vectors of Mf are ordered by < ii < 12 < • ■ • < < 
2k. 

Similarly, if [f + l)g = 0, then the coefficient matrix M/+i 
of the system of homogeneous linear equations 



Mz+iA"^ 

also has full rank. Therefore, g = 







0. 



In the following sequel, we only consider the rank of AI /, 
which means the order of the row vectors of Mf is not 
important. From the definition of Mf, we know e^j is a row 
vector of Mf if and only if Vf{uj) ~ 1. 

Theorem 4.2: Let n ~ 2k and / G SB„. If Vf{i) = Vf{j) + 
1, for any i,j G A^ with 0<i<k<j<2k and any 
1 <t< [log2 n\, then AI(/) = k. 

Proof: Assume to the contrary that AI(/) < k. Then, 
there exists a Boolean function ^ g G B„ with degree less 
than k, such that fg = or {f + l)g = 0. 

For the case fg = 0, by Lemma 2.4, there exists a 
symmetric Boolean function 7^ /i G SB„_26 with dcg(/i) < 



deg(g) — & < k — b for some integer < 5 < fc, such that 
fhPf, = 0. Let /i G SBn-2b, be defined as 



fl(x2b+l,- . . ,X„) = /(O, 1, ... ,0, 1,X2&+1, . . .,Xn)- 



\k-i) G F^. If fg = 0, then Vg{i) = e^A' = holds Then 



Vh{^=Vf{i + b) (12) 



for any < i < n — 26. 

i) On one hand, we claim that fih ~ 0. If fih ^ 0, then 
there exists an i such that i G WS(/i) fl WS(/i), where 
i G WS(/i) implies i + 6 G WS(/) by ([T2I1 and i G 
WS(/i) impHes i + 6 G WS{hPb) by the definition of Pb. 
Thus, i + be WS(/) n WS{hPb), which is contradicted 
with fhPb = 0. 

ii) On the other hand, we will show a contradiction by 
proving /i and /i + 1 do not have symmetric annihilators 
with degree less than k — b. For any i, j G A^~^, 1 <t < 
[log2(n — 2b) \, i < k - b < j, v/e have i + b,j + be 



and i + b < k < j + bhy Definition 13. 21 By the conditions 
in this theorem, we have Vf{i + b) = Vf{j + b) + l, which 
implies Vf-^ (i) = Vf^ (j) + 1 by (fT2l i. Then /i is contained 
in Class I. According to Theorem 4.1, /i or /i + 1 do 
not have symmetric annihilators with degree less than k, 
which is contradicted with the existence of h. 

Therefore, / does not have nonzero annihilators with degree 

less than k. 

For the case {f+l)g = 0, we can consider fi + l instead. By 
the same argument above, we can prove that if / + 1 does not 
have nonzero annihilator with degree less than k. Therefore, 
we have AI(/) = k. 



V. Functions in Class 2 Have Maximum Algebraic 
Immunity 

In this section, we will use the same notations as the last 
section, such as Sk, Mf, and so on. We always assume ?? = 2k 
and k ~ (fc„i, . . . , ki, ^0)2, where m = [log2 fcj. We denote 
by supp(fc) = {p\kp = 1}, then m G supp(fc). 

We first present Lemmas 5.1, 5.2, 5.3, and 5.4. With these 
lemmas, we study the annihilator of Boolean functions in Class 
2. In Theorem 5.1, the symmetric annihilators of Boolean 
functions in Class 2 are studied. In Theorem 5.2, all the 
annihilators of Boolean functions are studied. 

The following Lemma plays an important role in the proof 
of Lemma 5.2. 

Lemma 5.1: Given three constants a,b,c G F2, consider the 
following system of inequalities on variable t G F2 




(13) 



we have 

(1) If a = c, or (a, 6, c)=(l, 1, 0), then equations ( fT3] ) have 
one solution. 

(2) If a = and c — 1, then equations ( fT3] l have two 
solutions. 
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(3) If (a, &, c)=(l, 0, 0), then equations ( fT3] l do not have 
any solution. 

Proof: It is easy to obtain the conclusions. ■ 
Lemma 5.2: For any < p < m + 1, we have 

Proof: When p = 0, equation (fT4l) holds because both 
sides are e^. Moreover, if fcp_i = 0, i.e., 1 ^ supp(fc), then 
{j I J G -^pj J ^ fc}=0, equation ( fT4l i also holds. Therefore, 
in what follows, we always assume p and fcp_i = 1. 
For the left-hand side of equation (fT4l i. we have 



E 



E E^^ 
E^^ E 1- 



Let i = . . . , ii, 10)2, j = (jm, • ■ • , ji, jo)2- By Lemma 
3.2, if J £ Ap and j ^ k, then we have 



(.7p- 1 , jp-2 , • ■ • , , jo) = (^V- 1 , , • • ■ , fci , fco) • 
Therefore, 



Thus 



E 1 = 1 



if and only if 



* — {km, ■ ■ ■ ,kp, kp-i, ip-2, ■ ■ ■ , io)2 
with (ip_2, • • • , *o) ^ {kp-2, ■ ■ ■ ,ki, kg). Hence, we have 



E 



E 



(ip-2,---,'il,io)r}(fep-2,---,fel,fco) 



For the right-hand side of equation (fl4l i. we have 



E ^2fc- 



j&^p 



E E 

j^fc, i^2k-j 

jeAp o<i<fc-i 

E E 1- 

0<i<A:-l i<'^k-i 
j-<k,j£Ap 



If j 6 Ap, then the last p bits of j and 2k — j are both (kp-i, 
fcp_2, • ■ • J fci, fco)- Hence, 

k-j^{km+ jrn, . . . , fcp + jp, 1, 0, . . . , 0)2 

and we can write 2k -j + j,„ + . . . , 

kp+i +jp+2 + Sp+i, kp + jp+i, jp, 0, fcp_2, . . . , ko)2, where 
for any g > p, = 1 if and only if (/cq_i, jq, Sq_i)=(l, 1, 1) 
or, kq-i = and .Sg_i) 7^ (0,0). Note that the additions 
are in F2. 
If 



(ip_i, ip_2, . . . , hyio) ii (fcp-i, fcp-2, • ■ • , fci, fco), 



then {j I i ^ 2fc - j, j ^ k,j e Ap} = 0; thus, 

E 1 = 0- 



j^kJGAp 



Now assume 



(ip_i, ip_2, • • • , «i,«o) ^ (fcp-i, fcp-2, • ■ • , fci, fco), 
then i <2k ~ j, j ^ k, j G Ap if and only if 



(jp-l: Jp-27 • ■ • : Jo) — {kp-l,kp_2, . . . , feg) 



and 



J (^7717 • ■ • ; ^p) I!^ (^m — 1 ^" Jm ^" "^m — 1 1 • ■ • 7 ^p ^" Jp+1 7 Jp); 
I (jm 1 ■ ■ ■ 1 jx) ^ (^m , ■ • ■ , fcp ) • 

(15) 

Equations ( fTSl ) are equivalent to the intersections of a series 
of systems of inequalities as follows: 

{*p < 1 + Jp I ip+i ^ kp + jp+i 
jp < kp ' \ip+i < fcp+i 

{^m !^ ^m — 1 ^~ jm ^" -^^^ — i 
Jm ^ km 

If (im, . . . , ip) = {km, ■ ■ ■ , kp), by Lemma 5.1, each system 
of inequalities has one and only one solution with respect 
to jq. Thus, we can conclude that there is one and only one 
solution of {jm, ■ ■ ■ ,.70)2 satisfying i < 2k- j, j ^ k, j G Ap. 
Therefore, the coefficient of e^, where i = (km, ■ ■ ■ , kp, kp-i, 
ip-2, ii, io)2, equals 1. 

Else if {im, ...,ip)^ {km, kp), then the set {q \ kq ^ 
1, iq = 0} is not empty. For any such q, the corresponding 
system of inequalities with respect to jq has two solutions, 
according to Lemma 5.1. While for any other systems, either 
one solution or no solution exists. Therefore, the number of j's 
satisfying i <2k — j, j -< k, and j E Ap is even. Therefore, 
the coefficient of equals 0. As a result, we have 



E 



£2k-j 



E 



j^k jeAp 



i=ikm,---,kp,kp-i,ip-2,---,il,ia)2 
{ip-2,---,il,io)^{kp^2^---,ki,ko) 



So equation (fT4] l holds. This finishes the proof of this theorem. 



Lemma 5.3: For any positive integer k, we have 

j^k 

Proof: Let i = (i„,, 10)2, j = (jm,---,jo)2 and k = 
{km, ko)2. Consider the equation 



E^.-E E 



E -^Ei- 



j^k j^k i^j 0<i<k-l i^j^k 

0<i<fc-l 

Notice here, i ^ k. By the definition of ^, for each i d: k, 
the number of j such that ? ^ j ^ fc is 

i^j^k 
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Then, we have J2i-!.j^k ^ always even because i ^ k, which 
means J2j'<k = 0. Thus, we have Sk = J2j^k • 

Lemma 5.4: For any positive integer fc, we have 

£k = ^£„-j. 

j^k 

Proof: According to Lemma 5.3, we have 



£k 



E^.- E E 



j-<k 



0<p<m+l jeAp,j-<k 



because Ap for all < p < m + 1 is a partition of {0, 1, n}. 
By applying Lemma 5.2 to the right-hand side of the equation 
above, we have 

£k — £n~j = £n-j- 

0<p<m+l jGApJ^k j-<k 



With these lemmas above, we have 

Theorem 5.1: Suppose / £ SB„ such that there exists a 
function /' in Class 1 and an integer t k such that 

Vf — Vf> + et + Sck, or 

where 

S = vf,{t) +vf>{k), 



and 



6' = Vf,(n -t) + Vf,{k). 



Then both / and /+1 have no nonzero symmetric annihilators 
with degree less than k. 

Proof: Any n-variable symmetric Boolean function g with 
degree less than k can be written as g = X]o<i<fc ^i'^i- 
fg = or (/ + l)g = 0, similar to the proof of Theorem 
4.1, we can set up a system of homogeneous linear equations 
on variables A/s. If we can show that the coefficient matrix 
Mf has full rank, then the equation system has only zero 
solution which means Xg = 0; thus, g = 0. By the definition 
of coefficient matrix (fTTl i. Mf is only slightly different from 
that of equation -A//', because Vf{i) = Vf'{i) holds except for 
i = t, k, n — t. Notice that we only care about the rank of Mf 
and Mf. Since /' is in Class 1, we have Vf'{t)=Vf'{n — t) + l 
and Mf, Mf^i both have full rank by the proof of Theorem 
O Let a G Fa, if 

{vf{t),Vf{k),Vf{n-t)) = {a,a,a + l), 

then 

{vf{t),Vf{k),Vf(n — t)) — (a + 1, a, a + 1) or (a,a + l,a). 

Case 1: a=0. 

{vf{t),vf{k),vf{n-t)) = {0,0,1). 

Let pi be the integer satisfying t G Ap-^, then for any i > k 
and i G Ap-^, we have Vf{i) = 1 for the reason /' belongs to 
Class 1 . Consider the difference between the coefficient matrix 
M / and Mf . By the definition of coefficient matrix (fTTT i. since 



Vf{n — t) = 1 and Vf{t) = Vf{k) = 0, £n~t is a row vector 
of M f but Et and are not. 

When {vf{t),Vf{k), Vf{n — t)) = (1, 0, 1), the row vectors 
of M f and Mf are all the same except that an extra et is a 
row vector of Mf by the definition of coefficient matrix ( fTTT i. 
Then, M f has full rank as Mf has full rank. 

When {vf{t),Vf{k),Vf{n - t)) = (0, 1,0), the only differ- 
ence with Mfi is that Sk is a row vector of Mf but Sn-t is not 
by the definition of coefficient matrix (fTTl i. If we can prove 
that En-t is a linear combination of Sk and other row vectors 
in M f, then Mf also has full rank. In the next paragraph, we 
will complete this proof. 

By Lemma 5.4 and the fact that Ap for all < p < m + 1 
is a partition of {0, 1, n}, we have 



E ' 

iG-4pj J^k 



£k 



E E' 

a<p<m+l j^k 



-n-j- 



(16) 



Since t G Ap^ and t k which means t < k, then En-t 
appears on the left-hand side of ( fTSI l. Remember that for any 
i > k where i G Ap^, we have Vfi{i) = 1. Thus, we have 
Vf{i) = 1 for any such i with i ^ n — t, which means all 
vectors in the left-hand side of (fTSI l are row vectors of Mf 
except En-t by the definition of (12). While for the right- 
hand side of (fTSI l. notice that since /' is contained in Class 
1. Then if one element uj in the set {j\j G Ap,j ~< k} (or 
{n — i\j G Ap,j -< k}) satisfies Vfi{uj) = 1, so do the other 
elements in the set. By the definition of (fTTl i. if one term in 



(orE 



£n~j) is a row vector of Mf, 



so are the other terms. By the definition of Mf, we can see 
Mf also has this property as M f for any p pi. Then, we 
can turn all terms on the right-hand side of ( fTSI l into the row 
vectors of Mf by Lemma 5.2 as follows. If X^jeA j^k ^n-j 
with p ^ pi appears but not row vectors of M f, then we apply 
Lemma 5.2 to replace EjeAp,j-<k by EjeAp j^fe ^j- We 
can continue this procedure until that any vector that appears 
in the right-hand side also appears as a row vector of M/. 

After this, both sides of (fTSI l become row vectors of Mfi 
except En-t- Thus we can conclude that En-t is a linear 
combination of row vectors of Mf. Therefore, Mf has full 
rank because Mfr has full rank. 

Consider the difference between M/+i and M/'+i. Since 

{vf,+i{t),Vf+i{k),Vf,+i{n - t)) = (1, 1,0), 

and recalling the definition of coefficient matrix ( fTTl i. Et 
and Ek are row vectors of M//+i. While for My+i, if 
{vf+i{t),Vf+i{k),Vf+i{n—t)) = (0, 1, 0), the only difference 
is that Et is not a row vector of M/+i. By the same argument 
above using Lemmas 5.2 and 5.3, Et is a linear combination 
of row vectors of M/+i. This has no influence to the rank of 
M/+1. Therefore, M/+i also has full rank because Mf+i has 
full rank. 

Otherwise, if {vf+i{t),Vf+i{k),Vf+i{n - t)) = (1,0,1), 
according to the definition of coefficient matrix (fTTI) . the 
difference is that En-t is a row vector of Mf+i but Ek is not. 
This matrix is also full rank because is a linear combination 
of other row vectors in Mf/ due to Lemma 4.2. 



Case 2: a=l. 
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We can reach the conclusion that the matrices Mf and 
Mf+i always have full rank in the same way of Case 1. 
Else if 

{vf'{t),Vf>{k),Vf'{n - t)) = {a,a + l,a+ 1), 

then 

{vf{t),Vf(k),Vf{n — t)) = {a + l,a,a + I) or {a,a + l,a). 

In a similar way to the discussion as above, no matter a = 
or 1 and no matter what /' is, the coefficient matrices M / and 
always have full rank, which implies A = 0; thus, g = 0. 

Therefore, both / and / + 1 have no symmetric annihilators 
with degree less than k. ■ 

Theorem 5.2: Suppose / e SB,i such that there exists a 
function /' in Class 1 and an integer t k, such that 

Vf ^ Vfi + Cf + Sck, or 
+ firi-t + S'ek, 

where 

S = Vf,{t)+Vf,{k), 

and 

S' = Vf'{n~t) + Vf,ik). 

Then AI(/) = k. 

Proof: Assume to the contrary that AI(/) < k. Then, 
there exists a Boolean function 7^ g G B„ with degree less 
than k, such that fg = or (/ + l)g = 0. 

For the case fg ~ 0, by Lemma 2.4, there exists a 
symmetric Boolean function ^ h G SB„_26 with dcg(/i) 
< deg{g) — b < k — b for some integer < b < k, such that 
fhPb = 0. 

Let fi G SB„-2b be defined as 

/l(a;2fc+l, • • • ,Xn) = /(O, 1, ... ,0, 1,X26+1, . . . , Xn)- 

Then 

vsAi) = vf{i + b) (17) 

for any < i < n — 26. 

On one hand, by following the same argument of i) in the 
proof of Theorem 14.21 we have /i/i = because fhP\, = 0. 

On the other hand, we will show a contradiction by proving 
/i and /i + 1 do not have symmetric annihilators with degree 
less than k — b. For any i, j G A^^^, 1 < p < [log2 {n — 2b) \ , 
i < k — b < j , we have i + b,j + b G and i + b < k < j + b 
by Definition 13.21 

If t < 6, then t - b, n - {t - b) ^ A^-'' for any 1 < p < 
[log2 {n — 2b) \ . Then, by the conditions of this theorem, we 
have Vf (i+b) = +6) + 1, which implies Vf^{i) =i'/i(j) + 
1 by (T% . Then, /i is contained in Class 1. According to 
Theorem 4.1, /i and /i + l do not have symmetric annihilators 
with degree less than k, which contradicts the existence of h. 

lft>b, then t-b k-bhy the definition of -<' and t-b, 
n-{t-b) e A'^-'' for some I <p< [loga (?i - 25)J . Then, by 
the conditions of this theorem, we have Vf{t) = Vf [n — t) = 
Vf{k) + 1 and Vf{i + b) = Vf{j + b) + l for i + b / t and j+5 ^ 
n — t, which implies Vf^{t — b) = v j^{n — {t — b)) = w/i {k) + l 
and w/j [i) = Vf^ (j) + 1 for z 7^ < — 6 and j ^ n — [t — b). 
Then, /i is contained in Class 2. According to Theorem 5.1, 



/i and /i + 1 do not have symmetric annihilators with degree 
less than fc, which contradicts the existence of h. 

Therefore, / does not have nonzero annihilators with degree 
less than fc. 

For the case (/+l)g = 0, we can consider /i+l instead. By 
the same argument above, we can prove that if / + 1 does not 
have nonzero annihilator with degree less than fc. Therefore, 
we have AI(/) = fc. ■ 



VI. Main Result 

Finally, we obtain the following main result. 

Theorem 6.1: Let n = 2k, k = {km, • • . , fci, fco)2, where 
m = [log2fcJ. Let supp(fc) = {p \ kp = 1}. Given / G SB„, 
then AI(/) = fc if and only if Vf satisfies one of the following 
three cases: 

1) There exist a^, a^, 02, . . . , a^, a,„+i G F2, such that 
for any 1 < t < m + 1 and i,j € At,0 < i < k < j < 
2k, Vf{i) = Vf{j) + 1 =at holds, and v/(fc) = aq. 

2) There exist oi, 02, . . . , a,„, a,„+i G F2, such that for 
any 1 <t <m and i,j G At,Q < i < k < j < 2k,Vf{i) = 
Vf{j) + l=at holds, and 

{vf{k-2"'),Vf{k),Vf{k + 2"'))) = (a,„+i,a,„+i + l,a,„+i); 

3) There exists an integer po G supp(fc), po ^ m, and a\, 
02, ... , Cm, flm+i, 6po £ F2 such that for any \ <t < m + 1, 
i,j € At,0 < i < k < j < 2k, i io and j n ~ io, 
Vf{i) = Vf{j) + l=at holds, and 

{vf{io),Vf{k),Vf{n - ia)) = {bp„,bp„,bp^,), or 

{vf{io),Vf{k),Vf{n- io)) = {bp„,bp„,bpa), 

where io=(fcpo_i, . . . , fci, fco) k. 

The total number is (2wt(7T,)+l)2L'°S2 «J . And the values of 
their Hamming weight are {2"-i±i (j;^) , 2"-i+i („%)-(^) , 
2"-^4CvX:)^ foranyzVfc}. 

Proof: Notice that Vf satisfies item 1 if and only if / 
belongs to Class I, Vf satisfies items 2 or 3 if and only if / 
belongs to Class 2. Then, the necessity is proved by Theorem 
3.5, while the sufficiency is proved by Theorems 4.2 and 5.2. 

The number of functions satisfying item 1 is 2™+^, the 
number of functions satisfying item 2 is 2™+^, and the number 
of functions satisfying item 3 is (wt(7i) — 1)2™+^, because 
different choices of a/s, bp„ and io will generate different 
functions. Therefore, the total number is (2wt(n) + 1)2™"*"^. 
The corresponding values of Hamming weight are also easy 
to calculate. ■ 

For example, when n = 14, we have fc = 7, m = [log2 7J = 
2 and supp(7)={0, 1, 2}. 

There are 16 functions satisfying the conditions of item 1). 
Among them, the simplified value vectors of those satisfying 
Vf{7) = 1 are as follows: 
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f 

J 


aVV/t?j(Uj...l'j(14) 


1 


nnnnnnn 11111111 
UUUUUUU 11111111 


2 


r\r\f\ 1 ^\^\/^^ 11 1 1 rt 1 11 
UUU 1 uUO llllUlll 


J 


n 1 nnn 1 n 1 1 n 1 1 1 n 1 
U 1 UUU 1 U 1 1 U 1 1 1 U 1 


4 


101010110101010 


5 


010101011010101 


6 


101 1101 10100010 


7 


111011110001000 


8 


111111110000000 



All of them have the same Hamming weight 
2^^+i(^^*)=9908, whereas all of their complements have the 
same Hamming weight 2^'^-i(^^)=6476. 

There are 8 functions satisfying the conditions of item 2. 
Among them, the simplified value vectors of those satisfying 
Vf{7) = 1 are as follows: 



/ 


SVV:i'f(0)...?;f(14) 


1 


000000011110111 


2 


010001011010101 


3 


101010110100010 


4 


111011110000000 



All of them have the same Hamming weight 2^'^+^{^^)- 
(3'') =9544, whereas all of their complements have the same 
Hamming weight 2^^-^('^) + {^;^)=68A0. 

There are 32 functions satisfying the conditions of item 3 
because wt(14) = 3 and can be or 1. When = 0, 
among such functions, the simplified value vectors of those 
satisfying w/(7) = 1 are as follows: 



/ 


SVV:i',(0)...t)f(14) 


1 


000000011111110 


2 


010001011011100 


3 


001010110101010 


4 


011011110001000 


5 


000100011110110 


6 


010101011010100 


7 


001110110100010 


8 


011111110000000 



All of them have the same Hamming weight 2^'^+i (^^'')- 
( p'')=9907, whereas all of their complements have the same 
Hamming weight 2^^-^{^^) + {'^^)=6'i77. 

When io ~ 1, among such functions, the simplified value 
vectors of those satisfying f/(7) = 1 are as follows: 



/ 


SVV:t)/(0)...t)/(14) 


1 


000000011111101 


2 


000001011011101 


3 


101010110101000 


4 


101011110001000 


5 


000100011110101 


6 


000101011010101 


7 


101110110100000 


8 


1011 11 110000000 



All of them have the same Hamming weight 2^^+^(^^)- 
(^j*)=9894, whereas all their complements have the same 
Hamming weight 2"-i (i4) + (i4)=6490. 

VII. Conclusion 

In this paper, we give a necessary and sufficient condition 
for an even-variable symmetric Boolean function to reach 
maximum algebraic immunity for the first time. 



We first study the weight supports of low-degree symmetric 
Boolean functions and use some linear algebras to obtain 
some necessary conditions for an even-variable symmetric 
Boolean function to reach maximum algebraic immunity, then 
we divide the functions satisfying these conditions into two 
classes. Finally, we proved that functions of either class indeed 
have maximum algebraic immunity. Thus, the problem of 
finding all even-variable symmetric Boolean functions with 
maximum algebraic immunity is solved. 
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